js-xss icon indicating copy to clipboard operation
js-xss copied to clipboard

Published 20 hours ago verified publisher icon leizongmin

Fix slashes as separators.

Open hensleysecurity opened this issue 2 years ago • 2 comments

This should resolve #268.

hensleysecurity avatar Dec 28 '22 00:12 hensleysecurity

The mainstream html parser will parse it into the following results:

[
  {
    "tag": "img",
    "attrs": {
      "width": "100/height=200/src=\"#\"/"
    }
  }
]

image

I think treating the slash as a delimiter might present a potential problem.

leizongmin avatar Mar 23 '23 02:03 leizongmin

@leizongmin I am not able to replicate your result. It looks like maybe you wrapped the slashes inside quotes in your source HTML. Please try the following example instead:

<html>
  <body>
    <img/width="100"/height="200"/src="#"/>
  </body>
</html>

I see the behavior I would expect when I try this in Chrome: console

And Firefox as well: console2

Also please see the HTML spec:

When the prescan a byte stream to determine its encoding algorithm says to get an attribute, it means doing this:

If the byte at position is one of 0x09 (HT), 0x0A (LF), 0x0C (FF), 0x0D (CR), 0x20 (SP), or 0x2F (/) then advance position to the next byte and redo this step.

In other words, when getting HTML attributes, a properly implemented web browser will treat a / the same as a whitespace character, so I think it's very important that this project's code does the same thing.

hensleysecurity avatar Mar 24 '23 04:03 hensleysecurity